Sunday, August 28, 2005

SQL Injection attacks

MSDN Magazine describes SQL Injection as:
The basic idea behind a SQL injection attack is this: you create a Web page that allows the user to enter text into a textbox that will be used to execute a query against a database. A hacker enters a malformed SQL statement into the textbox that changes the nature of the query so that it can be used to break into, alter, or damage the back-end database.

So why am I writing about SQL injection today? Well, I ran into a prominent yellow pages site yesterday and happened to notice that the way they construct their URL's, they are inviting hackers to come in and perform SQL injection attacks. Here is their URL (no, I am not telling you what site it was on, but if you really want to know then nothing can stop you):

http://someyellowpagesite/cgi-bin/p_yellowpages.cgi?id=3&SQLQuery=SELECT%20LISTING.NAME,
LISTING.ADDRESS,LISTING.PHONE,LISTING.CONTACT,LISTING.EMAIL%20FROM%20LISTING%20WHERE%20
LISTING.BCCODE=%2248280%22%20ORDER%20BY%20LISTING.NAME&StartRec=21&EndRec=40&TotalRec=2527&
SearchName=0&SearchDir=0&SearchClass=1


Notice, how they embed the the entire SQL query right there in the URL itself. What do you think happens, if you change a parameter or two in the SQL query? Heck, what would happen if you remove that query and instead put something in which drops the RDBMS table altogether? hehe.. the possibilities are limited to your imagination.

The damage done by SQL Injection attacks depends largely on the target environment and configurations. It can be used to cause Denial of Service attacks, by having a query do superfluous tasks. It can be used to open up a port on the server, which can then lead to getting access to that box itself. It can also be used to cause corrupt the data on the backend. Endless possibilities.

So fellas, whenever you write applications, always sanitize and check the input passed in from the user. Never ever, take SQL queries or commands from the web-tier.

Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

Copyright Anand Jain 2004, 2005. All rights reserved.
Webmaster